Microsoft Cyber Defense Operations Center

The world’s shortage of qualified cybersecurity workers has been steadily growing since 2013 and is expected to reach 3.5 million in 2021i. With the ever-evolving cyber threat landscape, the need for security experts is far outstripping supply. And we continue to see the impact that this security skill shortage has on organizations, with the increase in sophisticated cyber attacks and studies demonstrating 44% of alerts go uninvestigated due to a combination of talent scarcity.

As these gaps grow, the balance continues to tip further and further in favor of cyber spies, criminals and hacktivists and mischief makers.

As an industry, there are many strategies we may employ to close the gap. At a recent fireside chat, we discussed several hiring tactics that might close this gap:  like seeking newbies without much experience and training them to the tasks that need to be done, retraining people in cyber adjacent jobs, and utilizing DevOps and Machine Learning techniques to ease the burden. But the potentially most exciting and impactful opportunity is seeking to fill the gap from the pool of diversity.

Some of our challenges can only be solved by people—those with different backgrounds, ideas, and experiences. If we don’t expand the diversity of our teams, cybercriminals will exploit group preconceptions and biases. As we see statistically that gender-diverse teams make better business decisions 73% of the time.ii

To be fair, the industry as a whole has made some progress. In 2013, women only made up 11% of the cybersecurity workforce, but according to the National Initiative for Cybersecurity Careers and Studies, women today make up almost 25%. That’s positive but not nearly fast enough to close the gap. If we have any hope to fill these three and half million jobs, it makes sense that at least half of them should be filled with women.

Increasing diversity is more complex than you think

There are plenty of women, boatloads you might say, who are qualified to fill some of these vacancies. But, within the organizations we all work for, there exists conscious and unconscious resistance to changing the hiring process to take advantage of this potential employment pipeline. To reduce this friction requires leaders to understand the complex issues involved and demand that forward progress be made.

Some hiring managers may reject qualified minority candidates because they don’t fit a preconceived and often time unrealistic notion of a cybersecurity professional. They look for years of experience, one or more technical degrees, and multiple certifications. That checklist would indicate the organization is looking for seasoned professionals and leaves no room to consider entry-level employees with promise. We all have that seasoned professional working for us or want one. But since we can’t find them, perhaps a new strategy is required. Expanding our definition of the “best cybersecurity professional” talent is required, as they may not already work in cybersecurity or have a college degree, but are highly skilled problem solvers.  Perhaps we should consider hiring young and hungry cybersecurity professionals and give them the low-level tasks that are currently burdening our seasoned veterans. This helps us train the newbies and provides relief to the seasoned professional.

Your job isn’t done once you hire the new minority employee either. You have to work hard to keep them. The Center for Talent Innovation study found that nearly 52% of women leave the technology field, almost double the percentage of men. It attributes this in part to women feeling stalled in their careers and work environments. The study’s take-away is that as you bring new people into your security organization, leaders must foster an environment where solicited input and ideas are encouraged, even from the newbies, and they must build mentorship and peer exchange support structures. After all, people stay where they are welcome.

What can Boards do right now?

Filling the cybersecurity job gap with a focus on diverse hiring is not only the hiring manager’s responsibility. In other words, this will not succeed from a grass roots effort from the ground up. This is an organizational strategy and needs to come from the top down with senior executives and other company leaders prioritizing a diverse workforce and asking themselves tough questions about why there are no women or minorities on their technology teams.

Dr. Freada Kapor Klein offers some practical advice. She is a venture capitalist, a social policy researcher and a philanthropist. She and her colleagues published a study on what is working and what is not working to improve the hiring of minorities in Silicon Valley.

ERGs are important, but they need to be one part of the overall Diversity and Inclusion (D&I) strategy; not the only thing the company does. According to Dr. Klein, the five common pillars to a D&I strategy include:

(1) Having a D&I Director or Manager

(2) Having Explicit Diversity Goals

(3) Having Employee Resource Groups [ERG]

(4) Offering Bonuses for Recruiting/Referring Diverse Candidates

(5) Implementing Unconscious Bias Training

The promising outcome from Dr. Klein’s study is that organizations that execute these strategies in parallel have success.

Encouraging Women in Cyber Security

Security knowledge and experience people learn as they go along, and it is not something any of us was born with.  Microsoft and The Cyberwire both support opportunities to encourage women to consider careers in Cybersecurity and expanding career opportunities. As an industry we have opportunity for creating networking in terms of peers and mentors. One effort in that regard is the CyberWires’s Creating Connections newsletter that highlights women in the cybersecurity profession and their contributions. Microsoft’s Women in Security is long-running, company-wide initiative that started with the goal of building a strong internal community of female cyber professionals through programs, and mentorships.

For lots of reasons that are way more nuanced than you might have thought, executive leadership has not been able to close the cybersecurity hiring gap. Within the organizations you are responsible for, there exists conscious and unconscious resistance to changing the way the company does things.

The work to develop programs and practices that attract and retain diverse teams is ongoing, but by embracing these practices, we can both positively impact this cyber skill shortage, and more effectively secure your organization against threats.

Watch our Fireside chat for a discussion on other opportunities on reducing the cyber security skills shortage.

Microsoft offers a number of learning opportunities for individuals expanding their careers in cyber security or for organizations investing in training talent: Microsoft Virtual Training Days,  Fundamentals of Security Skilling PathSecurity Technical Hub

To learn about more about the opportunities of a career in cybersecurity – hear personal journeys of cybersecurity professionals around the globe through the Cyberwire podcast at